At the end of April, Microsoft updated the Enhanced Mitigation Experience Toolkit to version 4.1 update 1 (download) and after testing this for a couple of weeks on several systems, and this, in my honest opinion, should become the standard installation on all your networks as Systems Administrator.
No matter where you are today, software is there. Whether it’s your phone, your car, your work or even in the grocery store. One thing that is common to all these software’s is vulnerabilities. Vendor market share, the motivation of the attackers and the profile of a victim all play into who ultimately gets attacked and who doesn’t. However, there is a free tool that can help. EMET is a utility designed to help IT Professionals protect systems from common threats, and works by applying security mitigation technologies to arbitrary applications to block against exploitation.
You may think, “hey, but I’ve a nice anti-virus product installed on my computer, I don’t need this?”, maybe… Anti-virus products check if the executable isn’t a virus itself, but it doesn’t enable DEP or other mitigation technologies on your system, so you’re missing an extra security layer.
In 2010, if you deployed EMET, you could have blocked 90% of the memory corruption exploits that were found in common productivity applications without ever applying the fixes (although we still of course encourage everyone to apply their updates).
Why are those techniques not by installed by default onto Windows products, if it is that good? Probably the problem is, I think if they do, they get whining from the EC on the pushing away competition again… Remember the N versions of Windows or the most horrible update ever for Administrators, KB976002, The Browser Choice Screen.
EMET supports Windows 7, Windows 8, Windows 8.1, Windows Server 2003 Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista Service Pack 1, and Windows XP Service Pack 3. Yes, you can also use it on Legacy Operation Systems and on Remote Desktop Session Hosts. And is also configurable with Group Policy Objects (GPO). In later parts of this blog I’ll demonstrate how to install EMET on serveral systems.
What kind of mitigation technologies are used in EMET?
- Data Execution Prevention (DEP) Security Mitigation
This is a memory protection mitigation that marks portions of a process’ memory non-executable. This makes it more difficult to an attacker to exploit memory corruption vulnerabilities.
- Structured Execution Handling Overwrite Protection (SEHOP) Security Mitigation
This mitigation performs Structured Execution Handler (SEH) chain validation and breaks SEH overwrite exploitation techniques.
- NullPage Security Mitigation
This blocks attackers from being able to take advantage of NULL dereferences in user mode. It functions by allocating the first page of memory before the program starts.
- Heapspray Allocation Security Mitigation
Heap spraying is an attack technique that involves filling a process’ heap with specially crafted content to aid in exploitation. Right now, many attackers rely on their content being placed at a common set of memory addresses. This mitigation is designed to pre-allocate those memory addresses and thus block these common attacks. Please note that it only aims to break current exploit that take advantage of these common addresses. It is not a general mitigation for the larger heap spraying attack. That said, if attackers do change the addresses they use, EMET users can change the addresses that are blocked.
- Export Address Table Filtering (EAF) Security Mitigation
This mitigation filters accesses to the Export Address Table (EAT), allowing or disallowing the read/write access based on the calling code. With EMET in place, most of today’s shellcode will be blocked when it tries to lookup the APIs needed for its payload.
- Mandatory Address Space Layout Randomization (ASLR) Security Mitigation
ASLR randomizes the addresses where modules are loaded to help prevent an attacker from leveraging data at predictable locations. The problem with this is that all modules have to use a compile time flag to opt into this. Mandatory ASLR forces all modules to be loaded at randomized addresses regardless of what flags they were compiled with. Exploits relying on data at fixed addresses will fail.
- Bottom Up ASLR Security Mitigation
This mitigation randomizes (8 bits of entropy) the base address of bottom-up allocations (including heaps, stacks, and other memory allocations) once EMET has enabled this mitigation but not for previous allocations.
- Load Library Check – Return Oriented Programming (ROP) Security Mitigation
ROP is an exploitation technique that facilitate the execution of code in presence of mitigation like the Data Execution Prevention. In order to do that, the ROP technique use snippets of code that are already present in the application.
- Memory Protection Check – Return Oriented Programming (ROP) Security Mitigation
- Caller Checks – Return Oriented Programming (ROP) Security Mitigation
- Simulate Execution Flow – Return Oriented Programming (ROP) Security Mitigation
- Stack Pivot – Return Oriented Programming (ROP) Security Mitigation
Yes all those cool cryptic names for the techniques EMET uses are also free.
Google Chrome “Could not load Shockwave Flash”
With the default settings, the only problem I encountered while testing EMET, was that on several websites that uses Shockwave Flash, the browser responded with “Could not load Shockwave Flash”. The cause is according MS KB 2844195:
“The Structured Exception Handling Overwrite Protection (SEHOP) mitigation feature is preventing the Adobe Flash Player from functioning. The Popular Software policy enables all mitigations (including SEHOP) for applications included in the Popular Software policy of which Google Chrome is one.”
Simple solution, just disable SEHOP if you want to make use of Shockwave Flash in Google Chrome.
In the later parts of this article I will show the deployment of EMET on a standalone computers, how to use it in networking enviroments etc.